Mobile Devices: Risk and Exposure

Posted by Mark Greisiger

A Q&A with Nathan Steuer and Peter Coddington
Mobile devices are essentially computers that can go anywhere the employee goes. While these devices enable powerful computing capabilities, they are also easily lost and left unprotected, creating additional data security risks for organizations that use them. I asked Nathan Steuer, business development director, and Peter Coddington, CEO of PaRaBal, Inc., in Catonsville, MD, about limiting the vulnerabilities of mobile devices.

What are some of the key risk exposures facing businesses with mobile devices?
We believe that data in any enterprise, commercial or public, are the jewels of the kingdom, so when you bring devices into the ecosystem of the organization you are allowing that many more points to touch the data and potentially open it to the outer fringes. There are multiple forms the risk can take, whether it’s rogue behavior or an accidental leak, but ultimately the risk exposure is about losing control over that data.

How can network and data breach events occur through mobile devices?
Smart phones have a number of senses on them—they can communicate with wi-fi, Bluetooth, cellular networks, servers, near field communication technology and they can give out geographic information—so there a lot of ways to interact and all of these interactions are connected to your enterprise network. A rogue agent or employee can put an app on the phone that allows someone to get into the network; there are spearfishing methods through texting that create tiny URLs that lead back to the network; you can lose the phone and if there isn’t a proper password on it, anyone can access the data flowing through apps or email. If you think of all the different ways we communicate on the phone then you see that there are multiple opportunities for a breach.

Do you see any trends in this area?
As Bring Your Own Device (BYOD) is becoming the norm, employees are unknowingly exposing an organization’s data. These employees want to handle data properly on their mobile devices, but in most cases don’t know what constitutes red flag usage on their device. Another area is in undetected malware in Android apps. The sheer number of Android apps has multiplied a thousand-fold every six months. The Kaspersky Security Company released a report that said 99 percent of all attacks on mobile devices in 2012 were against Androids, but that’s not to say iOS isn’t vulnerable as well. So we’re almost seeing a throwback to the old Windows versus Apple security debate, and as Android leads market share it is more challenging.

How can a company mitigate this risk exposure?
It has to be a multipronged approach, through policies, insurance, training and potentially software solutions. There are a number of products attempting to address these issues but most organizations are not electing to run out and get them yet. We think the best place to start is by getting a mobile audit of your enterprise and understanding how many devices are involved in your network, then determining policies and controls for employees using them. But the controls need to be well designed so that they don’t interfere with productivity, for instance, requiring clunky passwords to be entered multiple times. There need to be strong user policies from a liability standpoint and thorough education for employees so they understand the risks they’re taking. Our advice is that now is the time to secure your devices and stay ahead of the curve—it’s only a matter of time until we see a catastrophic data breach on the level of Sony that starts with a mobile device.

What might insurers need to know about mobile device risks?
While a lot of carriers realize there’s a great deal of risk with mobile devices, they don’t necessarily know how to quantify that risk and how to include it in their policies, so we also help with that education on the insurer side.

In summary…
At NetDiligence® we continue to see cyber risk insurers, brokers and risk managers concerned about mobile device risk and security issues. Many have had actual losses and insurance claims paid out due to a breached mobile device housing vast amounts of personal data on their customers (not to mention intellectual property impacting the corporation). Mr. Steuer and Mr. Coddington raise some key issues about organizational risk (and legal liability) emanating from both mobile apps and mobile devices, which we believe will grow immensely over the next several years. The attack statistic trends they reference are staggering. Businesses in all sectors need to get proactive and start managing this exposure.